Closed codefromthecrypt closed 5 years ago
codefromthecrypt
commented
5 years ago @openzipkin/devops-tooling anyone want to smash this? although I'm not sure the impact of root user with a distroless image, I suspect it would still be good to not run as root.
jeqo
commented
5 years ago I can help with this.
MySQL, Cassandra and Elasticsearch images already run with non-root user; I can extend this to zipkin and zipkin-kafka images.
nginx container image runs as root as it exposes 80 port. We could potentially change it to nginxinc/nginx-unprivileged. I know that this is an issue in Openshift where root is not allowed.
abesto
commented
5 years ago My two cents re. impact: strictly speaking, running as root in Docker is not in itself a security issue. With user namespace support in Docker, there's no reason that root inside the container should be root outside the container. That said, methinks it's good practice to not run as root inside containers we provide, just to avoid any unpleasantness in less sophisticated setups.
I know that this is an issue in Openshift where root is not allowed.
Thanks for surfacing this, I have zero exposure to Openshift, so good to know!
@jeqo nginx/nginx-unprivileged looks solid. Let me know if you need help (because bandwidth or stuck). Thanks!
jeqo
commented
5 years ago thanks @abesto !
just to clarify, the issue with Openshift is actually to run it on port 80. I can add this change as part of a PR.
After a deeper review of the zipkin-ui, it seems to be using a non-root user already, so I think there is no need to change base image.
codefromthecrypt
commented
5 years ago ps I asked to not change the proxy image off port 80 (instead if there is something odd about openshift, remap it there).
reason is demo apps in java almost always use port 8080 and also demonstrating a proxy is routinely port 80.
Thanks for the help @jeqo!
to be more specific, see the subject :)